Snort mailing list archives

RE: Heavy ICMP Traffic

From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Mon, 4 Nov 2002 15:24:17 -0500

In my experience this is normally a monitoring system using a standard ping
utility to monitor the 192.168.2.4 box.
hth,
John

-----Original Message-----
From: Brian M. Diehl [mailto:bdiehl () a1limo com]
Sent: November 4, 2002 2:59 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Heavy ICMP Traffic


        I have snort on a newly installed rh7.3 box, its been running for
this weekend and i found some really intresting things in the alert log.  I
haven't been able to find info in the archives.  They are  sadly 2 win2k
boxes running, and i'm seeing this betweent the two of them.

[**] ICMP L3retriever Ping [**]
11/02-01:17:16.078236 xxx.xxx.217.53 -> 192.168.2.4
ICMP TTL:28 TOS:0x0 ID:4402 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:9278  ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

the .53 is an external address for one of my boxes, and obviously the 2.4
address is NAT'd for a box with no external addy and is a win2k PDC. I have
a roughly 20 meg log file for this particar incident.  Does anyone know what
this is?  Is this "normal" windows crap?  the odd thing is i'm not seeing a
reply from 2.4 to .53....

TIA!

Brian.
bdiehl () a1limo com


-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Heavy ICMP Traffic Brian M. Diehl (Nov 04)
- Re: Heavy ICMP Traffic Nicholas Bachmann (Nov 04)
- <Possible follow-ups>
- RE: Heavy ICMP Traffic Hicks, John (Nov 04)
- RE: Heavy ICMP Traffic Brian M. Diehl (Nov 04)
- RE: Heavy ICMP Traffic Brian M. Diehl (Nov 04)